Posted
by
samzenpus
on Sunday March 17, 2013 @12:48PM
from the open-book dept.

dstates writes "SAM (Systems for Awards Management) is a financial management system that the US government requires all contractors and grantees to use. This system has recently been rolled out to replace the older CCR system. Friday night, thousands of SAM users received the following message: 'Dear SAM user, The General Services Administration (GSA) recently has identified a security vulnerability in the System for Award Management (SAM), which is part of the cross-government Integrated Award Environment (IAE) managed by GSA. Registered SAM users with entity administrator rights and delegated entity registration rights had the ability to view any entity's registration information, including both public and non-public data at all sensitivity levels.' From March 8 to 10, any registered user who searched the system could view confidential information including account and social security numbers for any other user of the system. Oops! The Government Services Administration says that they have fixed the problem."

Firstly, how do you know that's all they did? Secondly, why wouldn't it constitute a fix, if it (y'know) fixes the problem?

My read on the original comment was that dstates was poking some fun at the notion that they 'could' fix the problem. How do you 'fix' unauthorized SSN access? It isn't really fixable - the FAQ sited says they are giving them access to free credit monitoring services. Gee thanks. That doesn't fix anything.
Whoever was responsible for releasing that FAQ needs to do some soul-searching, imho. It seemed, to me, to almost suggest that the users were somehow responsible for this breach, because they "opted

Half of our shared government is devoted to the proposition that government itself is THE problem our country has, and any step taken to damage the credibility of, or simply interfere with government is a positive step.

Therefore, funding at all levels is cut, and even minimal oversight gets cut.

Without oversight, contractors get more 'emergency' jobs, and have to expand, without anyone checking what they're doing. So, they buy more computers, hire more staff, and roll out services as quick as they can.

Who would be surprised that minimal standards for something as tertiary to the money-making process as security gets ignored in this process? You hire contractors to cover government jobs so they can work faster (sloppy), automate more, not double-check everything.

When inevitable problems occur, you blame the contractor, hire the next contractor, and pretend everything is good for a while longer.

The end result meets the ideal though - a completely inefficient government, more privatization, and a way to pretend all the corruption is just how government works, even though you're actually forcing it to act this way.

Too many people who blame government for everything don't look at the simple point that issues like this are usually mistakes made by the vendors who sell shoddy crap to the government. It's a lot like blaming government for the fraud in medicare, when it's actually the doctors committing fraud, and you don't hear about it until the government catches the criminal.

Government is always the problem....when you have idiots elected to office who intentionally t

The reason Northrop Grumman is raping your ass is because congress comes up with a random budget at random times. Therefore, we can only fix problems on their schedule, which means that we have to pay Northrop to drop other customers to do the work we desperately need, when it becomes desperate enough to get congressional add money, and then pay them to keep everyone on staff that is no longer working on their project because we tied up resources for this, and then we get to pay them to get extra people up

Making all government contractors to sign in in a single "trusted" site is a good recipe for disaster. In fact, is the perfect honeypot to convince people that we are under attack.

This is a troll, right? If you think the government is capable of gathering information from MULTIPLE sources and making heads or tails from it, I have a couple of memorial fountains to sell you in lower Manhattan. Likewise, if you think that that 5 websites would have fewer bugs than one website... How the hell did you get such a low ID anyway?

If all those companies have to login to a single website (that could require java, flash, acrobat, or whatever that could have a 0-day exploit, and no one will block anything from there, as is a trusted website), it could be used to plant something like Red October [hitb.org] in a lot of sensible places. It could be in a not very visited place of the site to delay detection while still getting victims (i.e. just replacing a pdf), could not be detected in all companies it tries to infect, could be low profile enough as

Exactly why I registered at CCR/SAM with a bank account that has all of $10 in it (to keep the account open). When the Gov't pays us, I immediately transfer the money over to our real business account--at the bank where I know the manager.

US government agencies should have no problem managing the entire healthcare system under the ACA because there are so many tens of thousands of pages of regulations, they will obviously cover every single thing that needs to be done and done correctly and safely...

That's because you didn't opt-out of "publicly" listing your company's infoz, though I've never understood why the fraq any private sector contractors should EVER have such easy access to the data. Alas, it's too late, anyway! I am still getting boatloads of spam from after I first registered on CCR several years ago (like, 5). Never would have imagined listing company infoz for gov agencies to see would lead to copious amounts of SPAM. One company even snail mailed me a nice ink pen with my company's n

any registered user who searched the system could view confidential information including account and social security numbers for any other user of the system

Only users who had entity administrator rights and delegated entity registration rights could do that. So they were users with higher than normal privileges. The main issue was that the SSN of some entities were displayed to some users who were not allowed to administrate those entities. The users with entity administrator rights and delegated entity registration rights need to see the SSN of entities they have rights to administrate. In the search function I bet the SSN was in a column that was only visible to users with those rights. The issue comes when the column is displayed. Rather than filter each row to see if the user was allowed to see that specific entity's information the user was allowed to see every entity's information. In some rows the information should have been there in others it should have been blank. Why not only allow them to search entities they can administrate? What if the user is looking for the public information on an entity they can not administrate?. In effect they had the column filter correct but not the row filter.

When there are users with some administration powers it is a complex problem to give them enough access without giving them too much.

In the end it comes down to a small data exposure exploitable by a few users who have privileged user access. This is very different from a hacker being able to access the information. I bet anyone who has dealt with these kinds of complex permissions have made similar mistakes. Hopefully they get caught in QA but sometimes they slip through. I laugh when I see posts about these security holes being an example of government incompetence considering the number of security holes in most major software packages in existence. If you have an ax to grind with the government this is not a good target.

A huge fraction of "users" in that system is an "administrator". You "administer" your company's information. There is afaik no other reason to have a "user account" on the system. An individual user *may* have administrator rights to multiple "corporate entity IDs".

Also this system contains an account for EVERY tiny little company that has ever had at least one contract with a federal agency, or ever dreamed of selling something into a government enviro

Entity administrator rights is only half of the requirements. You forgot about the second part that the entity must also have "delegated entity registration rights". You have to have rights to register other entities and I doubt that they give that right to everyone. While the first hurdle is pretty easy the second one is probably much harder.